7:44 a.m.
Can you remind me what your configuration for the API Manager is? I
think you're deploying into Wildfly, correct?
To be honest I'm not very familiar with how the keycloak adapters work,
so I'm guessing here. But based on the little bit of KC integration
code we've written for apiman I'm betting that you need to have session
affinity enabled for the manager UI. Otherwise there's no way for a
given request from the browser to be authenticated without redirecting
to the login page.
Note that I have created the following JIRA that would help with the
flood of auth redirects:
https://issues.jboss.org/browse/APIMAN-877
But even so it likely wouldn't fix the underlying problem, which is that
without session affinity it may take some luck for you to successfully
log in and view the UI (since there are a few redirects happening as
part of the login process).
As for the Gateway - you shouldn't need session affinity enabled there,
because there is currently no redirect based authentication happening
(e.g. we're using BASIC Auth to authenticate into the Gateway API from
the Manager).
-Eric
On 1/5/2016 4:05 PM, Paul Blair wrote:
We are testing setting up a configuration where the API gateway, the
API
manager UI, and Keycloak are all behind their own load balancers on AWS.
Keycloak is clustered using JDBC_PING.
When I try to access the apimanui URL after logging in via Keycloak,
sometimes the admin page is rendered; sometimes it isn't and I have to
refresh it a few times. I see a flood of requests coming into both of
the Keycloak instances.
From what I can see, after the POST to Keycloak happens, there is a
sequence of 302 redirects that eventually results in a successful GET to
index.html. After that, however, each request for a resource on the page
— css, javascript, fonts, whatever — also gets a 302 and is redirected
to Keycloak and redirected back before the request is successful. I'm
getting the impression from what I'm seeing that the bearer token is not
being received by the browser and/or submitted with requests.
Below is an example from the browser request log. All the browser
requests are to various subdomains of us-west-2.elb.amazonaws.com (the
load balancers); the instances of apiman and Keycloak are all on
subdomains of us-west-2.compute.amazonaws.com. There is currently no
session affinity set up in the load balancers for Keycloak, the apiman
gateway, or the apiman management UI.
Any ideas on what might be causing this?
*** Part 1: Browser login via Keycloak and request for index.html ***
POST
https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[CO...
Cookie:"KC_RESTART=[RESTART-01]"
Response: 302
Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[CODE-01]"
GET
https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[CO...
Cookie:"KC_RESTART=[RESTART-01]"
Response: 302
Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=[CODE-02]"
GET
https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=...
Cookie:"KC_RESTART=[RESTART-01]"
Response: 302
Location:"https://[API_MANAGER]/apimanui/index.html?state=[STATE-01]"
Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01]; Version=1;
Path=/auth/realms/apiman; HttpOnly
KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
Expires=Wed, 06-Jan-2016 06:09:59 GMT; Max-Age=36000;
Path=/auth/realms/apiman
KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
GET
https://[API_MANAGER]/apimanui/index.html?state=[STATE-01]&code=[CODE...
Cookie:"OAuth_Token_Request_State=[STATE-01]"
Response: 302
Location:"https://[API_MANAGER]/apimanui/index.html"
Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]; path=/apimanui
OAuth_Token_Request_State=; Max-Age=0; Expires=Thu,
01-Jan-1970 00:00:00 GMT"
GET https://[API_MANAGER]/apimanui/index.html
Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]"
Response: 302
Location:"https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=https%3A%2F%2F[API_MANAGER]%2Fapimanui%2Findex.html&state=[STATE-02]&login=true"
Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]; path=/apimanui
OAuth_Token_Request_State=[STATE-02]; secure"
GET
https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?respon...
Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01];
KEYCLOAK_SESSION=apiman/[KC_SESS-01]"
Response: 302
Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=[CODE-04]"
Set-Cookie:"KC_RESTART=[RESTART-02]; Version=1;
Path=/auth/realms/apiman; HttpOnly"
GET
https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=...
Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01];
KEYCLOAK_SESSION=apiman/[KC_SESS-01]; KC_RESTART=[RESTART-02]"
Response: 302
Location:"https://[API_MANAGER]/apimanui/index.html?state=[STATE-02]&code=[CODE-05]"
Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-02]; Version=1;
Path=/auth/realms/apiman; HttpOnly
KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
Expires=Wed, 06-Jan-2016 06:10:00 GMT; Max-Age=36000;
Path=/auth/realms/apiman
KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
GET
https://[API_MANAGER]/apimanui/index.html?state=[STATE-02]&code=[CODE...
Cookie:"OAuth_Token_Request_State=[STATE-02];
JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]"
Response: 200
Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]; path=/apimanui"
*** Part 2: Subsequent requests for resources (here,
bootstrap-select.css) ***
GET
https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.css...
Cookie:"OAuth_Token_Request_State=[STATE-02];
JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]"
Response: 302
Location:"https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=https%3A%2F%2F[API_MANAGER]%2Fapimanui%2Flibs%2Fbootstrap-select%2Fbootstrap-select.css?cid%3D2015-10-23_16%3A50&state=[STATE-03]&login=true"
Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]; path=/apimanui
OAuth_Token_Request_State=[STATE-03]; secure"
GET
https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?respon...
Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-03];
KEYCLOAK_SESSION=apiman/[KC_SESS-01]"
Response: 302
Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=[CODE-06]"
Set-Cookie:"KC_RESTART=[RESTART-03]; Version=1;
Path=/auth/realms/apiman; HttpOnly"
GET
https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=...
Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-03];
KEYCLOAK_SESSION=apiman/[KC_SESS-01]; KC_RESTART=[RESTART-03]"
Response: 302
Location:"https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.css?cid=2015-10-23_16:50&state=[STATE-03]&code=[CODE-07]"
Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-04]; Version=1;
Path=/auth/realms/apiman; HttpOnly
KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
Expires=Wed, 06-Jan-2016 06:10:02 GMT; Max-Age=36000;
Path=/auth/realms/apiman
KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
GET
https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.css...
Cookie:"OAuth_Token_Request_State=445/4a12cbb7-c16d-42a5-90c7-cf296616674a;
OAuth_Token_Request_State=[STATE-02];
JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]"
Response: 400
Set-Cookie:"OAuth_Token_Request_State=; Max-Age=0; Expires=Thu,
01-Jan-1970 00:00:00 GMT"
*** Meanwhile, in Keycloak — the logs have the following segment
repeatedly: ***
DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default
task-23) replacing relative valid redirect with:
https://[API_MANAGER]/apimanui/*
DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default
task-23) AUTHENTICATE
DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default
task-23) authenticator: auth-cookie
DEBUG [org.keycloak.services.managers.AuthenticationManager]
(default task-23) token active - active: true, issued-at:
1,452,019,157, not-before: 1,452,014,329
DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default
task-23) authenticator SUCCESS: auth-cookie
DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default
task-23) execution is processed
_______________________________________________
Apiman-user mailing list
Apiman-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/apiman-user